Re: Lua 5.4.0-rc5 segfault in low memory conditions

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Lua 5.4.0-rc5 segfault in low memory conditions
From: Sergey Zakharchenko <doublef.mobile@...>
Date: Sat, 13 Jun 2020 18:31:27 +0400

Hello Bogdan,

[I apologise to everyone not interested in this discussion for my
overly long emails. If I could, I would make them shorter.]

Bogdan Marinescu <bogdan.marinescu@gmail.com>:
> That stack trace looks very familiar. I'm about 90% sure that I saw the same error with Lua 5.3.5

This cannot be ruled out; shall I run a similar test against 5.3.5?

Sergey Zakharchenko:
>> The system I can run 'rr' on is also x86-64 but has glibc 2.30, and
>> the issue isn't triggered by failing #345 (I've also switched to
>> testing based on git commits, at 69e84805 now). Back to brute-force
>> search...

This system crashes when set to fail allocation #336 (which tries to
allocate 56 bytes for object of type 5) and the crash itself happens
after #357 but not during #358; instead an attempt is seemingly made
to add sub-prototypes to an array which is somehow NULL.

Here's the relevant part of the allocation log, showing the fate of
memory area in question:

00000330 (nil) 4 0x564a299685e0 30
00000331 (nil) 4 0x564a29968610 33
00000332 (nil) 4 0x564a29968640 28
00000333 0x564a29966f20 25 (nil) 0
00000334 (nil) 4 0x564a29966f20 34
00000335 (nil) 6 0x564a29969870 40
fail_alloc_at: 00000336: failing
00000336 (nil) 5 (nil) 56
00000337 (nil) 5 0x564a299698a0 56
00000338 (nil) 10 0x564a299698e0 128 <--- the proto is created
00000339 (nil) 0 0x564a29969970 32
00000340 (nil) 0 0x564a29963b70 16
00000341 (nil) 0 0x564a299699a0 4
00000342 (nil) 0 0x564a299699c0 64
00000343 (nil) 0 0x564a29969a10 24
00000344 (nil) 0 (nil) 0
00000345 0x564a29963b70 16 (nil) 0
00000346 (nil) 0 (nil) 0
00000347 (nil) 0 (nil) 0
00000348 0x564a299699a0 4 (nil) 0
00000349 (nil) 0 (nil) 0
00000350 (nil) 0 (nil) 0
00000351 0x564a299699c0 64 (nil) 0
00000352 0x564a299698e0 128 (nil) 0 <--- the proto is deleted
00000353 (nil) 0 0x564a29969a30 48
00000354 (nil) 0 (nil) 0
00000355 0x564a29969a10 24 (nil) 0
00000356 (nil) 0 0x564a29969a70 32
00000357 (nil) 10 0x564a299698e0 128 <--- another? proto is created in
the same area

0x0000564a27d8b768 in addprototype (ls=ls@entry=0x7ffdadcadfe0) at lparser.c:699
699       f->p[fs->np++] = clp = luaF_newproto(L);
(rr) l
694         int oldsize = f->sizep;
695         luaM_growvector(L, f->p, fs->np, f->sizep, Proto *,
MAXARG_Bx, "functions");
696         while (oldsize < f->sizep)
697           f->p[oldsize++] = NULL;
698       }
699       f->p[fs->np++] = clp = luaF_newproto(L);
700       luaC_objbarrier(L, f, clp);
701       return clp;
702     }
703
(rr) print f
$1 = (Proto *) 0x564a299698e0
(rr) print *f
$2 = {next = 0x564a299698a0, tt = 10 '\n', marked = 16 '\020',
numparams = 0 '\000', is_vararg = 0 '\000', maxstacksize = 0 '\000',
sizeupvalues = 0, sizek = 0, sizecode = 0, sizelineinfo = 0, sizep =
0, sizelocvars = 0, sizeabslineinfo = 0, linedefined = 0,
lastlinedefined = 0, k = 0x0, code = 0x0, p = 0x0,
  upvalues = 0x0, lineinfo = 0x0, abslineinfo = 0x0, locvars = 0x0,
source = 0x0, gclist = 0x0}
(rr) bt
#0  0x0000564a27d8b768 in addprototype (ls=ls@entry=0x7ffdadcadfe0) at
lparser.c:699
#1  body (ls=ls@entry=0x7ffdadcadfe0, e=e@entry=0x7ffdadcadf10,
ismethod=ismethod@entry=0, line=1) at lparser.c:983
#2  0x0000564a27d8bbd6 in simpleexp (v=0x7ffdadcadf10,
ls=0x7ffdadcadfe0) at lparser.c:1172
#3  subexpr (ls=ls@entry=0x7ffdadcadfe0, v=v@entry=0x7ffdadcadf10,
limit=limit@entry=0) at lparser.c:1260
#4  0x0000564a27d8bdbe in expr (ls=ls@entry=0x7ffdadcadfe0,
v=v@entry=0x7ffdadcadf10) at lparser.c:1280
#5  0x0000564a27d8bec6 in explist (ls=ls@entry=0x7ffdadcadfe0,
v=v@entry=0x7ffdadcadf10) at lparser.c:1004
#6  0x0000564a27d8b4df in retstat (ls=0x7ffdadcadfe0) at lparser.c:1850
#7  statement (ls=ls@entry=0x7ffdadcadfe0) at lparser.c:1922
#8  0x0000564a27d8b707 in statlist (ls=ls@entry=0x7ffdadcadfe0) at lparser.c:792
#9  0x0000564a27d8cb34 in mainfunc (fs=0x7ffdadcadf98,
ls=0x7ffdadcadfe0) at lparser.c:1963
#10 luaY_parser (L=0x564a299622a8, z=<optimized out>,
buff=0x7ffdadcae288, dyd=<optimized out>, name=0x564a29966f38
"@test.lua", firstchar=114) at lparser.c:1986
#11 0x0000564a27d83514 in f_parser (L=0x564a299622a8,
ud=0x7ffdadcae280) at ldo.c:796
#12 0x0000564a27d819b6 in luaD_rawrunprotected (L=0x564a299622a8,
f=0x564a27d83417 <f_parser>, ud=0x7ffdadcae280) at ldo.c:148
#13 0x0000564a27d8330e in luaD_pcall (L=0x564a299622a8,
func=0x564a27d83417 <f_parser>, u=0x7ffdadcae280, old_top=80, ef=0) at
ldo.c:749
#14 0x0000564a27d835ff in luaD_protectedparser (L=0x564a299622a8,
z=0x7ffdadcae330, name=0x564a29966f38 "@test.lua", mode=0x0) at
ldo.c:813
#15 0x0000564a27d7e78c in lua_load (L=0x564a299622a8,
reader=0x564a27d9d79d <getF>, data=0x7ffdadcae3d0,
chunkname=0x564a29966f38 "@test.lua", mode=0x0) at lapi.c:1053
#16 0x0000564a27d9dbc7 in luaL_loadfilex (L=0x564a299622a8,
filename=0x7ffdadcb14d6 "test.lua", mode=0x0) at lauxlib.c:776
#17 0x0000564a27d7ae0b in handle_script (L=0x564a299622a8,
argv=0x7ffdadcb0870) at lua.c:225
#18 0x0000564a27d7b9ff in pmain (L=0x564a299622a8) at lua.c:603
#19 0x0000564a27d828d0 in luaD_call (L=0x564a299622a8,
func=0x564a29962910, nresults=1) at ldo.c:482
#20 0x0000564a27d82b6d in luaD_callnoyield (L=0x564a299622a8,
func=0x564a29962910, nResults=1) at ldo.c:526
#21 0x0000564a27d7e53a in f_call (L=0x564a299622a8, ud=0x7ffdadcb0720)
at lapi.c:997
#22 0x0000564a27d819b6 in luaD_rawrunprotected (L=0x564a299622a8,
f=0x564a27d7e505 <f_call>, ud=0x7ffdadcb0720) at ldo.c:148
#23 0x0000564a27d8330e in luaD_pcall (L=0x564a299622a8,
func=0x564a27d7e505 <f_call>, u=0x7ffdadcb0720, old_top=16, ef=0) at
ldo.c:749
#24 0x0000564a27d7e60a in lua_pcallk (L=0x564a299622a8, nargs=2,
nresults=1, errfunc=0, ctx=0, k=0x0) at lapi.c:1023
#25 0x0000564a27d7bb24 in main (argc=2, argv=0x7ffdadcb0868) at lua.c:629
(rr) print *ls
$3 = {current = 41, linenumber = 1, lastline = 1, t = {token = 40,
seminfo = {r = 4.6875231737122726e-310, i = 94876525278960, ts =
0x564a299636f0}}, lookahead = {token = 289, seminfo = {r =
4.6875231734557538e-310, i = 94876525273768, ts = 0x564a299622a8}}, fs
= 0x7ffdadcadf98, L = 0x564a299622a8,
  z = 0x7ffdadcae330, buff = 0x7ffdadcae288, h = 0x564a299698a0, dyd =
0x7ffdadcae2a0, source = 0x564a29966f20, envn = 0x564a29963540}
(rr) print *clp
$4 = {next = 0x564a299698a0, tt = 10 '\n', marked = 16 '\020',
numparams = 0 '\000', is_vararg = 0 '\000', maxstacksize = 0 '\000',
sizeupvalues = 0, sizek = 0, sizecode = 0, sizelineinfo = 0, sizep =
0, sizelocvars = 0, sizeabslineinfo = 0, linedefined = 0,
lastlinedefined = 0, k = 0x0, code = 0x0, p = 0x0,
  upvalues = 0x0, lineinfo = 0x0, abslineinfo = 0x0, locvars = 0x0,
source = 0x0, gclist = 0x0}

As you see I've recorded this using 'rr', so I can go back and forth
in time ('reverse next', 'reverse continue', etc.) to inspect program
state; it's compiled at -O0 so everything should be visible. Wish I
knew what I needed; please advise!

Best regards,

--
DoubleF

Follow-Ups:
- Re: Lua 5.4.0-rc5 segfault in low memory conditions, Bogdan Marinescu
- Re: Lua 5.4.0-rc5 segfault in low memory conditions, Sergey Zakharchenko

References:
- Lua 5.4.0-rc5 segfault in low memory conditions, Sergey Zakharchenko
- Re: Lua 5.4.0-rc5 segfault in low memory conditions, Andrew Gierth
- Re: Lua 5.4.0-rc5 segfault in low memory conditions, Sergey Zakharchenko
- Re: Lua 5.4.0-rc5 segfault in low memory conditions, Sergey Zakharchenko
- Re: Lua 5.4.0-rc5 segfault in low memory conditions, Bogdan Marinescu

Prev by Date: Re: Lua 5.4.0-rc5 segfault in low memory conditions
Next by Date: Re: Lua 5.4.0-rc5 segfault in low memory conditions
Previous by thread: Re: Lua 5.4.0-rc5 segfault in low memory conditions
Next by thread: Re: Lua 5.4.0-rc5 segfault in low memory conditions
Index(es):
- Date
- Thread